Cloud Encryption – PCI Frequently Asked Questions

As a company focusing on cloud security, we’re often asked about regulations, and how to achieve cloud encryption while maintaining regulatory compliance. In this post, I’d like to review some of these issues and provide a high level guide to best practice.
But first – a brief background on issues around cloud encryption: unlike on-premise data encryption, cloud encryption highlights a significant trust issue involving encryption keys and key management. For example, an enterprise can easily encrypt a virtual cloud disk, but who’s managing the encryption keys? If the encryption keys are managed by the cloud provider or the security vendor, the enterprise will not achieve compliance (and more importantly – true security). How about field- level encryption? Oracle for example provides a Transparent Data Encryption (TDE) mechanism, while storing the encryption keys in a “wallet”. If the wallet is stored on-cloud, the encryption keys are far from safe, and compliance cannot be achieved. With that in mind, let’s dive into some of the issues.

Issue: Generation of strong encryption keys

PCI requires that the encryption keys are generated with sufficient length, but more importantly – the data used to generate the key must be sufficiently random.

To avoid doubt, make sure that your encryption provider generates strong encryption keys, using random data and true entropy. Here’s a discussion of true in-cloud entropy with a flavor of real life issues.

Issue: Secure Key Distribution and secure key storage

PCI (as well as other regulations, and a healthy common sense…) requires that encryption keys will be distributed over a secured channel. But in a cloud scenario, the main question becomes “to where are the encryption keys distributed?” In other words – if the distribution channel is secure, but the encryption keys are stored in cloud – the risk significantly increases. Rich Mogul wrote a great article about this risk: How to Tell If Your Cloud Provider Can Read Your Data (Hint: They Can).

CIO, CTO & Developer Resources

Issue: Split knowledge and establishment of dual control of cryptographic keys

The requirement for split knowledge is crucial in cloud deployments involving sensitive data. In a cloud scenario, split knowledge is needed first and foremost to split the (encryption keys) knowledge between the cloud provider/security vendor, and the enterprise. The meaning is that an enterprise would need to either implement the key management system back in the enterprise data center, dismissing many of the cloud advantages while doing so, or move to a secure cloud key management system which utilizes techniques such as split-key management and homomorphic key encryption. An example for such system is Porticor’s Virtual Private Data system. For an additional review of split-key and homomorphic key management, read this white paper.

Oh and just in case: This blog is not intended to constitute legal advice…

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

Internet of Things (IoT) will be a hybrid ecosystem of diverse devices and sensors collaborating with operational and enterprise systems to create the next big application.
In their session at @ThingsExpo, Bramh Gupta, founder and CEO of robomq.io, and Fred Yatzeck, principal architect leading product development at robomq.io, will discuss how choosing the right middleware and integration strategy from the get-go will enable IoT solution developers to adapt and grow with the industry, while at the same time reduce Time to Market (TTM) by using plug and play capabilities offered by a robust I...

After making a doctor’s appointment via your mobile device, you receive a calendar invite. The day of your appointment, you get a reminder with the doctor’s location and contact information. As you enter the doctor’s exam room, the medical team is equipped with the latest tablet containing your medical history – he or she makes real time updates to your medical file. At the end of your visit, you receive an electronic prescription to your preferred pharmacy and can schedule your next appointment.

SYS-CON Events announced today that Solgenia will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY, and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA.
Solgenia is the global market leader in Cloud Collaboration and Cloud Infrastructure software solutions. Designed to “Bridge the Gap” between Personal and Professional Social, Mobile and Cloud user experiences, our solutions help large and medium-sized organizations dr...

While not quite mainstream yet, WebRTC is starting to gain ground with Carriers, Enterprises and Independent Software Vendors (ISV’s) alike. WebRTC makes it easy for developers to add audio and video communications into their applications by using Web browsers as their platform. But like any market, every customer engagement has unique requirements, as well as constraints. And of course, one size does not fit all.
In her session at WebRTC Summit, Dr. Natasha Tamaskar, Vice President, Head of Cloud and Mobile Strategy at GENBAND, will explore what is needed to take a real time communications ...

The world's leading Cloud event, Cloud Expo has launched Microservices Journal on the SYS-CON.com portal, featuring over 19,000 original articles, news stories, features, and blog entries.
DevOps Journal is focused on this critical enterprise IT topic in the world of cloud computing.
Microservices Journal offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication.
Follow new article posts on Twitter at @MicroservicesE

SYS-CON Events announced today that Litmus Automation will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY.
Litmus Automation’s vision is to provide a solution for companies that are in a rush to embrace the disruptive Internet of Things technology and leverage it for real business challenges. Litmus Automation simplifies the complexity of connected devices applications with Loop, a secure and scalable cloud platform.

SYS-CON Events announced today the IoT Bootcamp – Jumpstart Your IoT Strategy, being held June 9–10, 2015, in conjunction with 16th Cloud Expo and Internet of @ThingsExpo at the Javits Center in New York City. This is your chance to jumpstart your IoT strategy.
Combined with real-world scenarios and use cases, the IoT Bootcamp is not just based on presentations but includes hands-on demos and walkthroughs. We will introduce you to a variety of Do-It-Yourself IoT platforms including Arduino, Raspberry Pi, BeagleBone, Spark and Intel Edison. You will also get an overview of cloud technologies s...

Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities.
Accordingly, attendees at the upcoming 16th Cloud Expo at the Javits Center in New York June 9-11 will find fresh new content in a new track called PaaS | Containers & Microservices
Containers are not being considered for the first time by the cloud community, but a current era of re-consideration has pushed them to the top of the cloud agenda. With the launch of Docker's initial release in March of 2013, interest was revved up several notches. Then late last...

The WebRTC Summit 2015 New York, to be held June 9-11, 2015, at the Javits Center in New York, NY, announces that its Call for Papers is open. Topics include all aspects of improving IT delivery by eliminating waste through automated business models leveraging cloud technologies. WebRTC Summit is co-located with 16th International Cloud Expo, @ThingsExpo, Big Data Expo, and DevOps Summit.

SOA Software has changed its name to Akana. With roots in Web Services and SOA Governance, Akana has established itself as a leader in API Management and is expanding into cloud integration as an alternative to the traditional heavyweight enterprise service bus (ESB). The company recently announced that it achieved more than 90% year-over-year growth. As Akana, the company now addresses the evolution and diversification of SOA, unifying security, management, and DevOps across SOA, APIs, microservices, and more.

Wearable technology was dominant at this year’s International Consumer Electronics Show (CES) , and MWC was no exception to this trend. New versions of favorites, such as the Samsung Gear (three new products were released: the Gear 2, the Gear 2 Neo and the Gear Fit), shared the limelight with new wearables like Pebble Time Steel (the new premium version of the company’s previously released smartwatch) and the LG Watch Urbane.
The most dramatic difference at MWC was an emphasis on presenting wearables as fashion accessories and moving away from the original clunky technology associated with t...

SYS-CON Events announced today that robomq.io will exhibit at SYS-CON's @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY.
robomq.io is an interoperable and composable platform that connects any device to any application. It helps systems integrators and the solution providers build new and innovative products and service for industries requiring monitoring or intelligence from devices and sensors.

The list of ‘new paradigm’ technologies that now surrounds us appears to be at an all time high. From cloud computing and Big Data analytics to Bring Your Own Device (BYOD) and the Internet of Things (IoT), today we have to deal with what the industry likes to call ‘paradigm shifts’ at every level of IT.
This is disruption; of course, we understand that – change is almost always disruptive.

SYS-CON Events announced today that SafeLogic has been named “Bag Sponsor” of SYS-CON's 16th International Cloud Expo® New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY.
SafeLogic provides security products for applications in mobile and server/appliance environments. SafeLogic’s flagship product CryptoComply is a FIPS 140-2 validated cryptographic engine designed to secure data on servers, workstations, appliances, mobile devices, and in the Cloud.

GENBAND has announced that SageNet is leveraging the Nuvia platform to deliver Unified Communications as a Service (UCaaS) to its large base of retail and enterprise customers. Nuvia’s cloud-based solution provides SageNet’s customers with a full suite of business communications and collaboration tools.
Two large national SageNet retail customers have recently signed up to deploy the Nuvia platform and the company will continue to sell the service to new and existing customers. Nuvia’s capabilities include HD voice, video, multimedia messaging, mobility, conferencing, Web collaboration, deskt...

SYS-CON Media announced today that @WebRTCSummit Blog, the largest WebRTC resource in the world, has been launched.
@WebRTCSummit Blog offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication.
@WebRTCSummit Blog can be bookmarked ▸ Here
@WebRTCSummit conference site can be bookmarked ▸ Here

SYS-CON Events announced today that Cisco, the worldwide leader in IT that transforms how people connect, communicate and collaborate, has been named “Gold Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY.
Cisco makes amazing things happen by connecting the unconnected. Cisco has shaped the future of the Internet by becoming the worldwide leader in transforming how people connect, communicate and collaborate. Cisco and our partners are building the platform for the Internet of Everything by connecting the...

Temasys has announced senior management additions to its team. Joining are David Holloway as Vice President of Commercial and Nadine Yap as Vice President of Product.
Over the past 12 months Temasys has doubled in size as it adds new customers and expands the development of its Skylink platform. Skylink leads the charge to move WebRTC, traditionally seen as a desktop, browser based technology, to become a ubiquitous web communications technology on web and mobile, as well as Internet of Things compatible devices.

Docker is an excellent platform for organizations interested in running microservices. It offers portability and consistency between development and production environments, quick provisioning times, and a simple way to isolate services.
In his session at DevOps Summit at 16th Cloud Expo, Shannon Williams, co-founder of Rancher Labs, will walk through these and other benefits of using Docker to run microservices, and provide an overview of RancherOS, a minimalist distribution of Linux designed expressly to run Docker. He will also discuss Rancher, an orchestration and service discovery platf...

SYS-CON Events announced today that Vitria Technology, Inc. will exhibit at SYS-CON’s @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY.
Vitria will showcase the company’s new IoT Analytics Platform through live demonstrations at booth #330. Vitria’s IoT Analytics Platform, fully integrated and powered by an operational intelligence engine, enables customers to rapidly build and operationalize advanced analytics to deliver timely business outcomes for use cases across the industrial, enterprise, and consumer segments.

It seems today we are in a constant state of business and technology disruption. The convergence of the social, mobile, analytics, and cloud (SMAC) disruptions have both forced and enabled organizations to move at breakneck speeds addressing the needs and expectations of the lines of business/end users. This speed requires the development teams to be agile. They must be able to respond quickly to changing needs and demands of the organization. The quality assurance (QA) team still needs to ensure a quality product is being sent into production. Finally, the operations team needs to be able to ...

In recent years, we’ve watched mobile, cloud technologies and Internet of Things (IoT) enable increased connectivity for every network and every industry, ranging from connected cars to commercial vehicles and fleet management to smart cities to data centers. At MWC, it was clear that professionals in these areas are continuing to make strides in their fields. Below are a few of the major developments we noticed and look forward to hearing more as 2015 progresses.

Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities.
Accordingly, attendees at the upcoming 16th Cloud Expo at the Javits Center in New York June 9-11 will find fresh new content in a new track called PaaS | Containers & Microservices
Containers are not being considered for the first time by the cloud community, but a current era of re-consideration has pushed them to the top of the cloud agenda. With the launch of Docker's initial release in March of 2013, interest was revved up several notches. Then late last...

An explosive combination of technology trends will be where ‘microservices’ and the IoT Internet of Things intersect, a concept we can describe by comparing it with a previous theme, the ‘X Internet.'
The idea of using small self-contained application components has been popular since XML Web services began and a distributed computing future of smart fridges and kettles was imagined long back in the early Internet years.

The 16th Cloud Expo has added coverage containers and microservices to its program for New York, to be held June 9-11 at the Jacob Javits Convention Center.
Cloud Expo has long been the single, independent show where delegates and technology vendors can meet to experience and discuss the entire world of the cloud. This year will be no different.
Containers are an old concept that saw renewed life with the emergence of Docker in 2013. Then late in 2014, CoreOS shook up the cloud-computing world by announcing its own container strategy called Rocket. Meanwhile, enterprise IT heavyweight Re...

The presentation describes the emergence of the On Demand Economy, how new super-scale ventures like Uber taxis, Airbnb and others are transforming the fundamental operating models for corporations and consequently destroying the competition in the industries they are disrupting.
They do so by leveraging the peer to peer model, cultivating marketplace models for dynamically matching demand and supply.
This was part of a week long trip around the Baltics, who already have significant pedigree in this field, with Estonia being home to Skype and also more recently TransferWise, who are disrupti...

@ThingsExpo has been named the Top 5 Most Influential M2M Brand by Onalytica in the ‘Machine to Machine: Top 100 Influencers and Brands.' Onalytica analyzed the online debate on M2M by looking at over 85,000 tweets to provide the most influential individuals and brands that drive the discussion. According to Onalytica the "analysis showed a very engaged community with a lot of interactive tweets. The M2M discussion seems to be more fragmented and driven by some of the major brands present in the M2M space. This really allows some room for influential individuals to create more high value inter...

Cloud computing is transforming the way businesses think about and leverage technology. As a result, the general understanding of cloud computing has come a long way in a short time. However, there are still many misconceptions about what cloud computing is and what it can do for businesses that adopt this game-changing computing model. In this exclusive Q&A with Cloud Expo Conference Chair Jeremy Geelan, Rex Wang, Vice President of Product Marketing at Oracle, discusses and dispels some of the common myths about cloud computing that still exist today.

The Open Compute Project is a collective effort by Facebook and a number of players in the datacenter industry to bring lessons learned from the social media giant's giant IT deployment to the rest of the world.
Datacenters account for 3% of global electricity consumption – about the same as all of Switzerland or the Czech Republic -- according to people I met at the recent Open Compute Summit in San Jose.
With increasing mobility at the edge of the cloud and vast new dataflows being predicted with the growth of the Internet of Things (and The Coming Age of Many Zettabytes) in the near...

15th Cloud Expo, which took place Nov. 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA, expanded the conference content of @ThingsExpo, Big Data Expo, and DevOps Summit to include two developer events.
IBM held a Bluemix Developer Playground on November 5 and ElasticBox held a Hackathon on November 6. Both events took place on the expo floor.
The Bluemix Developer Playground, for developers of all levels, highlighted the ease of use of Bluemix, its services and functionality and provide short-term introductory projects that developers can complete between sessions.

There are multiple systems in use for basing business decisions. The popular business intelligence (BI) market focuses on the use of back office data that must be aggregated or otherwise centralized and sliced and diced to make business decisions. While this is clearly critical data, and BI is a $14.4B market according to Gartner (calendar year 2013). Software-defined businesses need a far more real-time view of the front office and systems of engagement. These systems of engagement change far more quickly and require real-time response, similar to running IT Operations versus many other parts...

Axeda, based in Foxboro, Mass., has created a machine-to-machine capability for analysis -- in other words, an Axeda Machine Cloud for the Internet of Things.
We have the whole Internet of Things (IoT) phenomenon. People are accepting more and more devices, end points, sensors, even things within the human body, delivering data out to applications and data pools. What do you do in terms of helping organizations start to come to grip with this M2M and IoT data demand?

At some point in the near future, our alarm clock will ring when the biometric scanner monitoring our sleep indicates we have achieved optimum rest. Our clock will connect with the coffee maker, and a steaming cup of brew will be waiting, while the lighting system in our home gradually brightens to imitate a sunrise, waking us up slowly. We will leave the house listening to personalized news headlines and our connected (perhaps driverless?) car will route us the most efficient path to the office, where more connected devices (computer, printers, lighting and HVAC systems, security systems and ...

From federal to state-level agencies, the functions and responsibilities of government are vast, ranging from maintaining infrastructure to neutralizing security threats. In light of recent budget cuts and refocused spending, agencies are under pressure to do more with fewer resources.
Fortunately, Apache Hadoop can help. With its organizational, storage, and collection capabilities, the platform allows government, defense, and intelligence agencies and contractors to obtain the information they need to protect and represent citizens.

Dynatrace collects a wealth of monitoring data on applications and one of the great aspects is that it also provides interfaces allowing external applications to use this information. An example we’ve just recently seen in a blog post showed how you can use Dynatrace data to monitor your entire application landscape across a server farm. However, potential usage scenarios are not limited to simplify the monitoring of existing applications, and one of our technology partners, the Performance Management Group (PMG) of fortiss GmbH, has developed a solution that uses Dynatrace data to build perfo...

The competition among public cloud providers is red hot, private cloud continues to grab increasing shares of IT budgets, and hybrid cloud strategies are beginning to conquer the enterprise IT world.

Big Data is driving dramatic leaps in resource requirements and capabilities, and now the Internet of Things promises an exponential leap in the size of the Internet and Worldwide Web.

The world of SDX now encompasses Software-Defined Data Centers (SDDCs) as the technology world prepares for the Zettabyte Age.

Add the key topics of WebRTC and DevOps into the mix, and you have three days of pure cloud computing that you simply cannot miss.

Cloud Expo - the world's most established event - offers a vast selection of 130+ technical and strategic Industry Keynotes, General Sessions, Breakout Sessions, and signature Power Panels. The exhibition floor features 100+ exhibitors offering specific solutions and comprehensive strategies. The floor also features two Demo Theaters that give delegates the opportunity to get even closer to the technology they want to see and the people who offer it.

Attend Cloud Expo. Craft your own custom experience. Learn the latest from the world's best technologists. Find the vendors you want and put them to the test.